alexmags/DeviceFileEvents.kql

Last active February 26, 2022 09:07

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/alexmags/b41ad580cd02f508d37fd4a04c11c421.js"></script>
Save alexmags/b41ad580cd02f508d37fd4a04c11c421 to your computer and use it in GitHub Desktop.

Download ZIP

KQL to see who interacted with a file. Defender for Endpoint Advanced hunting. https://blog.alexmags.com/posts/exchange-online-email-investigation/

Raw

DeviceFileEvents.kql

	DeviceFileEvents
	//\| where SHA256 == 'file hash here'
	\| where FileName startswith "KFC secret recipe"
	\| order by Timestamp asc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment